[jsr-314-open-mirror] [jsr-314-open] [Spec-869-Specify CSRF Solution] PROPOSAL(s)
Andy Schwartz
andy.schwartz at oracle.com
Tue Oct 26 14:41:14 EDT 2010
Hey Kito -
On 10/26/10 2:01 PM, Kito Mann wrote:
> On Mon, Oct 25, 2010 at 8:14 PM, Blake Sullivan
> <blake.sullivan at oracle.com> wrote:
>
>> This leaves the ever popular GETs. I'm probably being lazy, but at this
>> point I'm willing to punt on GETs because of potential problems with:
>>
>> 1) Worries about referer leakage if the secret is encoded in the URL
>> 2) How to deal with bookmarking
>> 3) General dislike for ugly URLs
>>
>> Admittedly, I think that 2) is the only one that really requires more
>> thought, since I think that the solution to 1) is to a) Only worry about
>> CSRF for pages served through a secure channel b) Require that pages served
>> to authenticated users be served through a secure channel. For 3), I think
>> it's gross but, that's just me :)
>>
>
> I think leaving out support for GETs is a bad idea.
I agree that we should support GETs. My concern isn't whether we should
support this - but whether the currently proposed approach of enabling
this on a global/application level is the right way to go. I think we
need a finer grained solution.
Andy
More information about the jsr-314-open-mirror
mailing list